Re: Web Application Penetration Testing Tools

From: Robert J. Brown (rjb@robertjbrown.com)
Date: Mon Oct 13 2003 - 19:26:28 EDT

• Next message: Marc Ruef: "HTTP CONNECT TCP Tunnel in Finjan SurfinGate 7.0?"
• Previous message: Derek Vadala: "Working with VARs and System Integrators"
• In reply to: Smaxdot: "Re: Web Application Penetration Testing Tools"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Brian E said:

> Does anyone know of some other good tools for auditing web applications with
>the ability to manipulate form data and cookies before being sent to the
>server?

I prefer the Unix platform so my tool of choice has been SSLProxy. You can
also build it with Cygwin to work under Windows if that is your style.

Its only function is to act as a proxy to remove the SSL encryption. You can
then use whatever tool you want on the client side to manipulate cookie data,
referrer values, session IDs, etc. It also allows you to sniff the traffic and
see exactly what is going on. Works great and best of all - it's GPL'd.

With this tool, you can use non-SSL aware client tools for manipulating data.
This is one of the biggest benefits.

You can find it at:

http://www.obdev.at/products/ssl-proxy/index.html

Here is a bit of info from the readme file:

What is sslproxy?
=================
sslproxy is a transparent proxy that can translate between encrypted
and unencrypted data transport on socket connections. It also has
a non-transparent mode for automatic encryption-detection on netbios.

sslproxy has been developed to have more secure servers available for
the secure mode of Sharity (a CIFS/SMB client for Unix). However, the
program can also be used for a multitude of other security related
applications.

What are the typical applications for sslproxy?
===============================================
sslproxy can be used to make a secure server for HTTP, telnet, POP,
CIFS/SMB etc. without changing the server itself. It's therefore
possible to turn an NT file server into a secure file server, to turn a
telnet daemon into an SSL telnet daemon etc.
The opposite is also possible: sslproxy can turn an ordinary client
into it's SSL variant without changing anything on the client. It's
e.g. possible to make secure telnet connections from Windows NT.

Regards,

-Robert

-- 
Robert J. Brown
Email:   rjb@robertjbrown.com
Web:     http://www.robertjbrown.com
PGP Key: http://www.robertjbrown.com/rjbpgp.asc
---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------

• Next message: Marc Ruef: "HTTP CONNECT TCP Tunnel in Finjan SurfinGate 7.0?"
• Previous message: Derek Vadala: "Working with VARs and System Integrators"
• In reply to: Smaxdot: "Re: Web Application Penetration Testing Tools"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:41 EDT